During analysis researchers identified multiple domains serving different roles, including an Opendir server, C2 domains for malicious browser extensions, and a C2 for EnigmaUiLauncher, with many domains masquerading as banking or invoice-related resources. Investigators traced additional malicious domains via the login panel HTML (for example systemcloud26[.]com) and verified results using paths like /enjoy.php. #EnigmaUiLauncher #Cloudflare
Keypoints
- Multiple domains were identified with distinct purposes: an Opendir server, a C2 for malicious extensions, and a C2 for EnigmaUiLauncher.
- Many domains impersonate banking, invoice, or legitimate infrastructure terms using words such as nota, fiscal, computador, eletronica, and system.
- The malicious infrastructure is hosted behind Cloudflare load balancers, complicating direct attribution and takedown.
- Researchers used the HTML markup of the extension login panel to discover destination servers referenced in the extension source code.
- Example domain systemcloud26[.]com revealed a “Login – Painel” page and a statistics collection tool, enabling further enumeration.
- Verification was performed by following specific links such as /enjoy.php; some links were inactive but remaining paths were analyzed.
MITRE Techniques
Indicators of Compromise
- [Domain names ] Malicious infrastructure and C2 hosts – systemcloud26[.]com, novoservidor2026.com, and 2 more domains (securepainelx.com, datasyncpanel.onlinesistemacloudx.com)
- [URLs/paths ] Verification and active paths found on hosts – http://systemcloud26[.]com/enjoy.php, /enjoy.php